TARH ANDISHAN
In April 2010, a worm called Stuxnet, allegedly jointly developed by the United States and Israel, targeted Siemens industrial control systems (ICS) in developing nations such as Iran (~59%), Indonesia (~18%), and India (~8%). Stuxnet infection contained a programmable logic controller (PLC) rootkit designed to spy upon, subvert, and in some cases sabotage Siemens supervisory control and data acquisition (SCADA) systems that regulated specific industrial systems. In particular, Stuxnet variants were deployed by a nation state actor against Iranian industrial facilities associated with its nuclear program, such as uranium enrichment facilities. The Stuxnet infection was discovered three months later, but variants continued to compromise Iranian systems through 2012. Iran’s nuclear infrastructure and its oil and gas infrastructure was also targeted by the Duqu malware from 2009-2011, and the Flame malware in 2012. In response to adversarial cyber warfare campaigns, Iran began rapidly developing its cyber warfare infrastructure. In December 2014, Cylance exposed Iranian threat actor, Tarh Andishan in the white paper of their 2-year Operation Cleaver investigation.
Tarh Andishan was likely developed in response to the Stuxnet infection, Duqu, and Flame campaigns. Iran could be demonstrating to global targets that it is a major cyber warfare power, capable of competing with countries such as the United States, China, and Russia, on the global cyber landscape. Cylance released Operation Cleaver early to allow potential targets the opportunity to mitigate the threat to their systems, so they estimate that they only discovered a portion of the activity of Tarh Andishan. Nevertheless, Cylance managed to build an impressive profile of Tarh Andishan’s operation, including hacker profiles, domain names, internal infrastructure, and indicators of compromise.
The infrastructure used to host the attacks belonged to the corporate entity Tarh Andishan in Iran, after which the threat group is named. The infrastructure was hosted by an Iranian provider (Netafraz.com), and Autonomous System Networks (ASNs), IP source netblocks, and domains were registered in Iran. The netblocks utilized had strong associations to state-owned oil and gas companies that employ individuals with expert knowledge of ICS systems. Further, tools in the malware warn the attackers if their outward facing IP address traces back to Iran. The infrastructure utilized by the group is too robust and too centralized to have belonged to an individual or small “grass-roots” hacktivist group. This leads leading security firms, such as Cylance, to believe that Tarh Andishan is either state sponsored or a well-funded mercenary hacker group.
In Farsi, “Tarh Andishan” translates as “Thinkers”, “Innovators”, or “Inventors”. Tarh Andishan consists of at least 20 dedicated hackers and developers, believed to be located in Tehran, Iran. Additional, members or hired associates operate out of the Netherlands, Canada, and the United Kingdom. Persian names (Salman Ghazikhani, Bahman Mohebbi, etc.) were used as hacker monikers. Most targets of Tarh Andishan speak English as a primary language and it appears that members of the group are proficient in reading and writing in English. Different members of the group specialize in different malware, different malware development tools, different programming languages and different adversary techniques.
Tarh Andishan targets government entities and critical infrastructure facilities in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States. Specifically, Tarh Andishan has been known to target: military installations, oil and gas facilities, energy facilities, utility facilities, transportation facilities, airlines, airports, hospitals, telecommunication companies, technology firms, institutions of education and research, aerospace and defense facilities, chemical companies, and governments. The expansive range of targets across the globe indicates that the Tarh Andishan campaign is likely a mechanism for gaining geopolitical leverage and establishing Iran as a cyber-power. Iran may be demonstrating that it can retaliate against any country that compromises its cyber-security.
Academic institution networks are often targeted by malware because universities, especially those that work with their government in some capacity, sponsor valuable research. Universities often store sensitive PII documents and research on local servers. Yet, university networks are de-centralized and often poorly secured because different schools on campuses host different networks that are supported by different IT teams and each network needs to be accessible to thousands of users with varying needs. While the origins of Stuxnet infection have never been definitively confirmed, it is believed to have originated out of a university research program. Tarh Andishan targets university networks for research, but according to Operation Cleaver, it also attempts to steal student PII, student photos for identification cards, and passport information from universities in the United States, India, Israel, and South Korea. Student PII and photos could be used for identity theft, but it could also be used for intelligence purposes because the next generation of government recruits and security researchers are currently students.
Tarh Andishan targeted airlines, airports, and transportation networks in South Korea, Saudi Arabia, and Pakistan by compromising Windows Active Directory and physical internal infrastructure such as Cisco edge switches, and routers. From there, the attackers stole VPN credentials so that they could establish a persistent presence and so that they could remotely access the entire infrastructure and supply chain. Tarh Andishan used the compromised credentials and VPN access to compromise airport gates, access security control systems, make fraudulent payments with Paypal and Go Daddy, and to infect other internal infrastructure. Overall, Operation Cleaver saw Tarh Andishan dangerously compromise airline networks without encountering major resistance. Information exfiltrated by Tarh Andishan could put airline passengers at risk if Tarh Andishan used its access to compromise airline ICS, SCADA systems, or other critical infrastructure. Further, Windows Active Directory, Cisco edge switches, and routers are components of networks in almost every organization in almost every sector. Given its success, Tarh Andishan may easily adapt this technique to attack networks in other sectors of its attack profile, if it has not done so already.
According to Cylance, Tarh Andishan’s “Initial compromise techniques include SQL injection, web attacks, and creative deception based attacks – all of which have been implemented in the past by Chinese and Russian hacking teams.” Tarh Andishan did not appear to utilize zero-day exploits. The SQL injection attacks were made possible by attacking vulnerable applications that failed to sanitize input prior to passing it to a database in an SQL query. Later, Tarh Andishan began spear phishing attacks, which involved sending victims an email with a malicious link. One such attack told targets that they had been selected to apply for a new position at an industrial conglomerate and the link directed them to a copy of a legitimate resume creation website. The resume tool was combined with a binder tool that loaded malware onto created documents. The malware runs in the background of the victim’s system and logs keystrokes and the information entered into forms. After the malware infected a host, the attackers would leverage existing, publically available, exploits (such as MS08-067) to escalate their privileges on Windows systems. The malware then propagated through the network like a worm, to compromise other systems on the network. Tarh Andishan compromises Microsoft Windows web servers that run Internet Information Services (IIS) and Coldfusion, Apache servers with PHP, Microsoft Windows desktops, and Linux servers. The group also targets popular network infrastructure such as Cisco VPNs, Cisco switches, and routers.
Tarh Andishan’s most utilized malware, TinyZBot, gathers information from infected systems and it establishes backdoors for persistent access. TinyZBot uses the SOAP sub-protocol of HTTP to communicate with the C&C infrastructure and it abuses SMTP to exfiltrate data to the C&C servers. Among other capabilities, TinyZBot can also take screenshots of the system, download and execute arbitrary code, detect security software, disable some anti-virus, and modify PE resources. Once the malware has infected the system, Tarh Andishan can use customized tools to poison ARP caches, encrypt data, steal credentials, create backdoors, create ASP.Net shells, enumerate processes, record HTTP and SMB communications, detail the network environment, query Windows Management Instrumentation (WMI), log keystrokes, and more. Effectively, Tarh Andishan can customize their tools to suit any target. The Net Crawler tool, which combines popular attacker tools Windows Credential Editor, Mimikat, and PsExec, was used to gather the cached credentials from every accessible computer on the infected network. Shell Creator 2 was used to generate an ASPX web shell to protect the attacker from revealing internal information such as location by human error. The Nbrute utility uses NMap to map the network and then it attempts to determine network credentials via brute force. The attackers can also use tools such as the PVZ bot tool to log keystrokes on specific botted systems and save information on infected systems to specific locations.